Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

serving files securely from virtual directory

Status
Not open for further replies.
gatoradeguy

gatoradeguy

MIS
Sep 18, 2003
43
US
Hi,
We are building a client web service which serves very large pdf's. these pdf's are on a file server seperate from our IIS server. they lie in a virtual directory of the IIS server called "PDFS"

How do we isolate clients to their files and obscure the path to these files so nobody just guesses random file names to access other peoples files...i.e. front end only shows the client what PDFS they have and they are transferred to the virtual directory when clicking the link. does anybody have a similar service. The PDFS must lie on the seperate files server as they are very large.
any input would be greatly appreciated.
 
Sort by date Sort by votes
I would suggest creating a page that handles all requests to download these files (lets call it downloadfile.aspx) and then pass the name of the pdf file as a querystring to the page.

Then in download.aspx you could redirect the page to the file. e.g.
Code: 
    Private Sub DownloadFile(ByVal virtualPath As String)
        ' retrieve the physical path of the file to download, and create
        ' a FileInfo object to read its properties
        Dim FilePath As String = Server.MapPath(virtualPath)
        Dim TargetFile As New System.IO.FileInfo(FilePath)
        ' clear the current output content from the buffer
        Response.Clear()
        Response.CacheControl = "Private"
        ' add the header that specifies the default filename for the Download/
        ' SaveAs dialog
        Response.AddHeader("Content-Disposition", "attachment; filename=" + _
            TargetFile.Name)
        ' add the header that specifies the file size, so that the browser
        ' can show the download progress
        Response.AddHeader("Content-Length", TargetFile.Length.ToString())
        ' specify that the response is a stream that cannot be read by the
        ' client and must be downloaded
        Response.ContentType = "application/octet-stream"
        ' send the file stream to the client
        Response.WriteFile(TargetFile.FullName)
        ' stop the execution of this page
        Response.End()
    End Sub
You say that you already have a page that contains the validation to only show the client the files that are associated with them, so you could also build that logic into the above function before you serve them with that file. That would make sure that even if the guessed the name of another file, it wouldn't be served if it wasn't associated with them.

--------------------------------------------------------------------------------------------------------------------------------------------

Need help finding an answer?

Try the search facility ( or read FAQ222-2244 on how to get better results.
 
Upvote 0 Downvote
You can set this in IIS using ISAPI settings to hanlde pdf file formats just like the way it handles aspx pages.
IIS web. Select properties/directory/configuration.
Just copy the one for .aspx file extension and make one for .pdf


This is your web config:

Code: 
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
		<authentication mode="Forms"> 
			<forms loginUrl="login.aspx" name="AllInternet" timeout="120" path="/"></forms> 
	    </authentication> 
		<authorization> 
	        <allow users="?" /> 
	    </authorization> 
	</system.web>
	<location path="pdffiles"> 
	    <system.web> 
		    <authorization> 
			    <deny users="?"></deny> 
			</authorization> 
		</system.web> 
	</location> 
</configuration>
Your login page.
Code: 
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        'Put user code to initialize the page here
        If Not Page.IsPostBack Then
            viewstate("returnurl") = Request("returnurl")
        End If
    End Sub

    Private Sub btnLogin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnLogin.Click
        System.Web.Security.FormsAuthentication.SetAuthCookie("YourUserNameHere", False)
        Response.Redirect(viewstate("returnurl"))
    End Sub


Simple link to your pdf in your pdffiles folder:
Code: 
<html>
  <body >
    <form id="Form1" runat="server">
		<a href="pdffiles/application.pdf" target=_blank>PDF Click Here</a>
    </form>
  </body>
</html>
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

G12Consult
  • Locked
  • Question
Javascript from Content Pages
Replies
0
Views
810
G12Consult
G12Consult
G12Consult
  • Locked
  • Question
Retrieve data from JSON
Replies
1
Views
856
gmmastros
gmmastros
WIREMESH
  • Locked
  • Question
Play mp4 files in asp.net 2.0 webforms application
Replies
0
Views
296
WIREMESH
WIREMESH
engsalah2018
  • Locked
  • Question
How to get label text from table reference on database based on TableName and FieldName
Replies
2
Views
983
jbenson001
jbenson001
Jo_Miracle
  • Locked
  • Question
Loading Dynamic XML Files In To A Tree View Web Server Control
Replies
1
Views
289
jbenson001
jbenson001

Part and Inventory Search

Sponsor

Back
Top